This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Incomplete traffic: custom appID and QoS

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Incomplete traffic: custom appID and QoS

Go to solution
LucaMarchiori
L3 Networker

‎06-16-2017 11:47 AM

Hi,

 

I have traffic generated by Solarwinds NetPath probes that is tagged by the firewall as "incomplete".

 

I run a packet trace, and after the handshake, there are only TCP-keep-alive packets.  I'd like to prioritize this traffic in QoS, currently I'm seeing high latency on NetPath at our busiest sites, and I'm thinking this may be because of QoS.

 

Now I cannot see "incomplete" as an app in QoS, so I have a couple of questions.

 

1. Is incomplete traffic being treated as unknown-tcp/udp?

2. Will I be able to create a custom AppID without an http stream I can base a signature on, to have QoS apply to this traffic?

 

 

Thanks,

Luca

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
acc6d0b3610eec313831f7900fdbd235
L4 Transporter
In response to LucaMarchiori

‎06-16-2017 06:11 PM

@LucaMarchiori

NetPath is not specified as an application in the App-ID library. In this case you have to use the Solarwinds application in the security rule. According to this Solarwinds documentation below, NetPath is a feature of Solarwinds NPM, and by default displays NPM data and issues.

http://www.solarwinds.com/documentation/en/flarehelp/npm/content/npm-orion-integration-with-netpath....

 

I would configure the policy according to the screenshot below, based on your explanation and the requirements in the documentation above.SolarWinds-Security-Policy.PNG

 I am including the SSL application in case you are running the service over port 443, which seems to be the case. I am also leaving the Service as "ANY" in case the service using non-standard ports.

 

View solution in original post

0 Likes Likes
7 REPLIES 7

Go to solution
acc6d0b3610eec313831f7900fdbd235
L4 Transporter

‎06-16-2017 12:43 PM

Hi @LucaMarchiori

 

In terms of App-ID, these are connections where not enough data, or data that did not match any known applications's behavior, were transferred and App-ID was unable to identify a known application. 

When this type of application is seen inside the organization, there's a good chance this is benign traffic: maybe a homebrew backup or a scripted maintenance task. If these show up on sessions going out to, or coming in from the internet, they should be a reason for concern.

https://live.paloaltonetworks.com/t5/Management-Articles/Pro-Tips-Unknown-Applications/ta-p/77052

 

In other words, "Incomplete" is not an application and that's why it is not going to be showed in the "Application" column when you create a security rule or QoS rule.

 

My recommendation is that in this case, you create a security policy and QoS policy applying the "Solarwinds" app-id signture to it, then it may take care of this for you. Now if you don't want that traffic to go through the App-ID engine, I recommend that you create a Application Override Policy, so it will bypass the Application inspection. By doing that, you still can apply security profiles but the rule will be treated as stateful only.

 

I hope it makes sense.

 

Willian

0 Likes Likes

Go to solution
LucaMarchiori
L3 Networker
In response to acc6d0b3610eec313831f7900fdbd235

‎06-16-2017 03:04 PM

@acc6d0b3610eec313831f7900fdbd235 wrote:

 

In terms of App-ID, these are connections where not enough data, or data that did not match any known applications's behavior, were transferred and App-ID was unable to identify a known application. 

When this type of application is seen inside the organization, there's a good chance this is benign traffic: maybe a homebrew backup or a scripted maintenance task. If these show up on sessions going out to, or coming in from the internet, they should be a reason for concern.

https://live.paloaltonetworks.com/t5/Management-Articles/Pro-Tips-Unknown-Applications/ta-p/77052

 

In other words, "Incomplete" is not an application and that's why it is not going to be showed in the "Application" column when you create a security rule or QoS rule.

 

My recommendation is that in this case, you create a security policy and QoS policy applying the "Solarwinds" app-id signture to it, then it may take care of this for you. Now if you don't want that traffic to go through the App-ID engine, I recommend that you create a Application Override Policy, so it will bypass the Application inspection. By doing that, you still can apply security profiles but the rule will be treated as stateful only.

 

 

Hi Willian,

In this case I'm positive that the traffic in question is benign, in fact, I'm trying to prioritize it.  Sorry I don't undesrtand your suggestion of "create a security policy and QoS policy applying the "Solarwinds" app-id signture to it.  I guess I can't think of how this could possibly work, since the firewall is not assigning an app tag in the first place.

 

Never used app override, but from a quick peek, it looks as though you need to create a custom appID first, which brings me back to my question 2.  Maybe the only way to do this is to forget the app, and use a service based rule?

 

 

 

 

0 Likes Likes

Go to solution
acc6d0b3610eec313831f7900fdbd235
L4 Transporter
In response to LucaMarchiori

‎06-16-2017 03:22 PM

@LucaMarchiori

 

If the firewall is not assigning the App -ID is because the application is potentially trying to run over a non-standard port. In this case you have to create your policy allowing the solarwinds application, but leave the service column as "Any", unless you know exactly over which port the service is running on.

 

Only creating a service based rule will not bypass the app-id engine. You have to create app override policy so that the app-id engine will not interfere with traffic. You assumption is correct, you have to create a custom app-id in order to create an app-override policy, but you still need to know over which port the service is running over.

 

https://live.paloaltonetworks.com/t5/Learning-Articles/Tips-amp-Tricks-How-to-Create-an-Application-...

0 Likes Likes

Go to solution
LucaMarchiori
L3 Networker
In response to acc6d0b3610eec313831f7900fdbd235

‎06-16-2017 03:32 PM

I was just looking at that document you linked. 🙂  I know the port (443), port does not change, and the probes are sent just by a couple of servers.

 

So, if I create a custom appID (like in the example), with just dest. port tcp/443 but no signature, and then assign that custom app to override app policy (specifying correct source and dest IPs), you think that would work?

 

I'm not sure I'd define NetPath as an application, it's more like a TCP-based probe?  It basically establishes a TCP connection over whatever port you specify, and then keeps the connection alive for a while, rinse and repeat.  Which is probably why the firewall has a hard time giving it a name, there is not much to go on.

 

 

0 Likes Likes

Go to solution
acc6d0b3610eec313831f7900fdbd235
L4 Transporter
In response to LucaMarchiori

‎06-16-2017 06:11 PM

@LucaMarchiori

NetPath is not specified as an application in the App-ID library. In this case you have to use the Solarwinds application in the security rule. According to this Solarwinds documentation below, NetPath is a feature of Solarwinds NPM, and by default displays NPM data and issues.

http://www.solarwinds.com/documentation/en/flarehelp/npm/content/npm-orion-integration-with-netpath....

 

I would configure the policy according to the screenshot below, based on your explanation and the requirements in the documentation above.SolarWinds-Security-Policy.PNG

 I am including the SSL application in case you are running the service over port 443, which seems to be the case. I am also leaving the Service as "ANY" in case the service using non-standard ports.

 

0 Likes Likes

Go to solution
LucaMarchiori
L3 Networker
In response to acc6d0b3610eec313831f7900fdbd235

‎06-16-2017 07:01 PM

Thanks Willian.  I'll give this a try on Monday and report back.

 

 

0 Likes Likes

Go to solution
LucaMarchiori
L3 Networker
In response to acc6d0b3610eec313831f7900fdbd235

‎06-19-2017 10:50 AM

Hi Willian,

 

I have an existing security rule that already allows NetPath traffic.  I created a QoS rule with the apps you listed, and I can see the rule showing up in Network > QoS > Statistics > QoS Rules.  So maybe that's it?

0 Likes Likes
  • 1 accepted solution
  • 3677 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks